Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Microsoft Extends Edge Bug Bounty Program Indefinitely

Microsoft said Wednesday it would extend its Edge bug bounty program indefinitely.

Microsoft said Wednesday it would no longer impose a time limit for its Edge bug bounty program.

The Redmond, Wash. based company announced the Edge on Windows Insider Preview (WIP) program in August 2016 as a means to incentivize researchers to find and report vulnerabilities in the browser.

Initially the program paid bounties to researchers who discovered remote code execution vulnerabilities, same-origin bypass vulnerabilities, and referrer spoofing vulnerabilities. The program has since expanded and while it still awards bounties for critical remote code execution it also awards bounties for any design issue in the browser that could compromise a user’s privacy and security.

The program was slated to run until this May but, according to Microsoft, will now extend indefinitely.

“Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program,” Akila Srinivasan, a member of Microsoft’s Security Response Center, wrote Wednesday in a Technet post.

The details of the program, below, more or less mirror the details of the limited program Microsoft announced last August.

Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty

The bounty program is sustained and will continue indefinitely at Microsoft’s discretion

Bounty payouts will range from $500 USD to $15,000 USD

If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD

Vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track)

The program has been a success; Srinivasan says Microsoft has handed out $200,000 in bounties since the program’s inception last August.

Microsoft has been fairly fluid with its bug bounty programs since starting its first back in 2013. The company announced one of its latest, for Office Insider Builds on Windows, back in March. The company said at the time it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default.

That program, like last August’s Edge program, was temporary and expired last Thursday.

Discussion

I found a flaw in Edge. The flaw is that it is a Microsoft Browser. When a car has holes in the floor. a missing door, a wrench to steer with and large amounts of black smoke emanate from the engine. I don't ask people to find the flaws in it.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.